So my current advice is
to treat any file as a potential problem, no matter what it is
called. Even .txt. .rtf and .htm files may be a risk, thanks to
"active content" in HTML web pages and e-mail and
Word's inanity regarding macros.

It's not only files that
run; web pages that you visit on the Internet may contain
malicious or buggy active content, scripts can be embedded within
HTML formatted email message bodies, and some email programs can
be tricked into running raw code hidden within hyperlinks within
the message itself.

The big one is (6). Good
build practice protects against (1, 3, 4, 5, 9) by setting up the
PC and its software to minimize risk - but (2, 6) are up to you.

What is malware?

Malicious wares are
files, code or content that act in an unexpected or undesirable
manner; includes trojans, viruses and worms - and yes, some
commercial software. There's more on how these work.

What is a virus?

A virus is code that
causes itself to be reproduced, infecting other disks or files
and so causing it to spread. Because Word auto-runs macros, it is
possible to write viruses that infect Word documents; indeed,
these may now (mid-2000) be the world's most common viruses.
However, expect active content in HTML e-mail to become as common.

Viruses may attempt to
do no harm, but cause problems as a side effect of bad coding or
compatibility issues. On the other hand, many (if not most)
viruses will carry a payload that causes damage, timed to be executed
after a certain number of days or events, or on a certain date (e.g.
the original CIH hatched on 26 April).

What is a worm?

A worm is code that
causes itself to spread over a network, infecting other systems.
Typically it will do so by mailing itself to other addresses (e.g.
Melissa) or by attaching itself to all messages you send (e.g.
Happy99). Because it automates the send to addresses derived from
your address book or mail, it is not enough to know the sender of
a message to trust it.

The distinction between
worm (e.g. Happy99) and virus (e.g. CAP) is blurred by malware
such as Zipped_Files and Melissa. These arrive as trojans or
viruses, may spread as viruses, but also send themselves off
directly as worms do.

What is a trojan?

A trojan is a program or
file that appears to be desirable, useful or interesting, but
harbors malicious code. "Joke" programs sent as e-mail,
pirate software downloaded from "warez" sites, and even
web pages and HTML e-mail "text" can be trojans. Unlike
worms and viruses, a pure trojan does not have to infect other
networks, systems, disks or files to spread. However, many
automate their spread as worms.

What is a RAT?

A Remote Access Trojan
is a program that effectively acts as a "virtual keyboard"
on the system, allowing hackers to access your computer over the
Internet. Files can be downloaded and read, uploaded to your
system, or deleted and arbitrary programs can be run on the
system as well. As there is a live human at the other end, with a
high degree of access to the PC, the behavior of a RAT is
unbounded by the code itself. In particular, passwords and credit
card numbers may be stolen and used.

What are attachments?

Arbitrary files can be
sent along with e-mail messages as enclosures or attachments.

Such files can be
anything; trojans, trojan web pages, virus infected documents and other files. This is the
most common form of malware spread, and clueless users are not
only falling victim to this but are causing the problem by
allowing their systems to spread this to other users. Please do not be part of this problem!

What is active content?

Active content includes
Java, JavaScript and VBScript. These are programming or scripting
languages that are sent from a website to the computer that
visits the site, and run on that computer, without the user's
knowledge or consent. This is clearly beyond the bounds of safe
computing practice!

Because active content
can go anywhere HTML can go, and because many e-mail programs
send mail in HTML form, even the e-mail message itself can be
dangerous.

What is a payload?

The payload is what the
malware does that is offensive! Includes:

Privacy; passwords,
credit card numbers etc. sent over Internet

Impersonation;
sending messages as if from yourself

Damage; deleting
and trashing your data and system files

Hardware damage;
reprogramming the BIOS so system cannot boot

Denial of service;
interferes with system functionality

By the way, (3) and (4)
are non-trivial. Corrupted data cannot always be recovered, no
matter how many hours labor you are prepared to pay for, and a
corrupted BIOS can require replacement of motherboard or entire
system ("name" PCs and laptops).

What's wrong with Microsoft?

Part of the reason
Microsoft products are targeted is because they are so commonly
used, and because Microsoft is unpopular with some users for
various reasons. But a large part of the problem is the nature of
Microsoft's products themselves.

MS Word will not only automatically
run macros (i.e.
programs) of a certain name within any document, but to do so
even when the file has an non-Word file extension such as .txt (plain
text), .rtf (Rich Text Format, which is an open standard and
should have no macros) or .htm (HTML, the stuff of which web
pages are made).

This is nasty, because
people will typically use .txt, .rtf and .htm in an attempt to
send data in a safe way that can be read in any program - so
these should never contain Word macros anyway! There is another
flaw, that if a file recognized as being associated with Word is
right-clicked and the Print option is used (intuitively, this
would appear to be safe practice), the macro warning is bypassed
and macros run.

MS PowerPoint and Excel
also autorun macros within their files, and hybrid malware were
beginning to appear when this document was written, which can hop
from one Office application to another or attack the system via
active content scripting or dropped program code files. Active
content can re-attack
the system via "Active Desktop" and "View as Web
Page".

Item (3) is interesting.
If one creates a very long hyperlink (those blue things that run
attached files or whisk you off to a web site when clicked) and
places raw code in the end of it, one can cause the program to
crash or run that code as if it was part of the program. That raw
code can do anything; infect files, trash data, whatever software
can do. Most programs will check that external data (such as a
link) is not too long to fit in the program's buffer before
copying it in. Alas, not MS - even their heavy-duty NT Server has
situations where unchecked buffer overruns can be exploited.

One of the worst bugs
allows arbitrary files to be embedded in HTML (email "messages",
web pages) in such a way that they are automatically "opened"
even if you don't click anything. You simply have to fix
this!

Safe Computing - The Response

How to be safe?

Choose your software carefully.

Where e-mail is
concerned, I used to stick to Eudora 3.06 as it is not vulnerable
to buffer overruns, does not execute active content in HTML mail,
and (the biggie) it creates incoming attached
files as files
as these are downloaded. I now (end 2000) use Eudora 5.02, which requires some
options settings to wall out a few risks (e.g. don't use
Microsoft's HTML viewer) but thereafter is as safe as Eudora 3.xx,
though prettier.

That means you can
simply virus check one (known) directory to scan all files
downloaded to date - whereas in (say) Outbreak, you have to not
double-click the link ("bang; you're dead" if you do)
but save as a file instead. Then, remember where you saved it and
what it was called, then go out of Outbreak to (say) Explorer to
find the file and scan it. And repeat all that all over again for
each file you receive.

It also means that if
you receive a trojan and want to delete all occurrences of it,
you can simply do a Find for that file and you will find them all.
Whereas with Outbreak, the file will be hidden within the mail
box where Find can't find it and the virus scanner can't scan it.
Even if you delete the message, it will still be in the "Trash"
unless you delete it there as well.

My build practice does
that, but by
installing an ISP's software CD, you will most likely breach this
protection. This may have re-enabled auto-running of CDs, your
newly-installed web browser will have valid e-mail settings that
facilitates malicious auto sending of malware, and it is probably
set to run all forms of active content without your knowledge or
consent.

You should consider re-instating
protection against active content (Tools, Options, Security tab,
Custom, set everything except download and drag-n-drop to Prompt
or Disable), and the use of a safer e-mail application.

"Here are the files
you requested" is not a meaningful reference to attached
files; several trojans and worms use similar generic phrasing when sending
themselves to addresses stolen from your own "address book"
(Melissa with Outlook) or incoming messages (Zipped_Files trojan).

Don't send
attachments unless you need to, and if you do, describe every
file you send in a meaningful way. Don't presume the trust of
strangers by sending them unsolicited attachments, especially
"joke" files received from other strangers.

Don't
allow active content to run unless you trust the site and the
site needs it to do something important and useful to you (e.g. a
banking site or a sign-up server).

Don't
"open" files off a diskette without virus checking
first, and I'd extend that advice even to computer CDs.

Do virus
check any files you download off the web before using them.

Be realistic about your virus scanner

A scanner is only as
good as its signature files, so update these regularly -
preferably every month at least. For example, F-Prot uses files
from www.complex.is, and these are updated several times a month.

However, in an age of
easy-to-use scripting and macro languages that comprise editable
source code others can modify, you can expect script kiddies to
spawn new variants at a prodigious rate. With online web pages
that can be updated (or hacked) every few hours, and CD-ROM disks
that contain a million e-mail addresses for sale, the risk of
encountering new malware unknown to your scanner is non-trivial.

So, check everything
external before use, but if the file is of dubious origin and/or
unsolicited (see "Think before you click") just don't "open"
it at all.

After all, you don't
feel obliged to read every junk mail stuffed into your letterbox;
why should you open every potential parcel-bomb thrown through
the window?